Thursday, September 13, 2012

Basics of SELinux in Linux

http://www.linuxnix.com/2012/09/basics-of-selinux-in-linux.html

Basics of SElinux

What is SELinux?
SELinux is a set of security policies/modules which are going to
apply on the machine to improve the overall security of the machine.
These are the Linux security modules(LSM) which are loaded in to kernel
to improve security on accessing services/files which improve security. SELinux is short form of Security Enhanced Linux. SElinux
is a security feature which was shipped with RHEL5, it is much secure
than any other security such as PAM and Initd. Apparmor is some times
consider as eloquent to SELinux. Below is the security model in Linux.

Setting of SELinux

SELinux is set in three modes.

Enforcing- SELinux security policy is enforced. IF this is set SELinux is enabled and will try to enforce the SELinux policies strictly

Permissive – SELinux prints warnings instead of enforcing. This setting will just give warning when any SELinux policy setting is breached

Disabled – No SELinux policy is loaded. This will totally disable SELinux policies.

And SELinux is set in two levels

Targeted – Targeted processes are protected,

Mls- Multi Level Security protection.

Get SELinux Status

Example1:Is SELinux enabled or not on your box? use below command to get the status.#getenforce

The output will be either “Enabled” or “Disabled”Example2: To see SELinux status in simplified way you can use sestatus#sestatusSample output:SElinux status : enabledSELinux mount : /selinuxCurrent mode : enforcingMode from config file : enforcingPolicy version : 21Policy from config file : targeted
From the above output we can see that SElinux is enabled and it is in enforced mode.
and to see detailed status you can use -b option, this will give on which services SElinux is enabled and which services are disabled.Example3:To get elobrated info on difference status of SELinux on different services use -b option along sestatus#sestatus -bSample output:[root@centos1 ~]# sestatus -bSELinux status: enabledSELinuxfs mount: /selinuxCurrent mode: permissiveMode from config file: enforcingPolicy version: 24Policy from config file: targetedPolicy booleans:abrt_anon_write offallow_console_login onallow_corosync_rw_tmpfs offallow_cvs_read_shadow offallow_daemons_dump_core onallow_daemons_use_tty onallow_domain_fd_use onallow_execheap offallow_execmem onallow_execmod onallow_execstack onallow_ftpd_anon_write off==Cliped the output here==

Disabling SELinux

Example4:How to disable SElinux
We can do it in two ways1)Permanent way : edit /etc/selinux/config
change the status of SELINUX from enforcing to disabled
SELINUX=enforcing
to
SELINUX=disabled
Save the file and exit.2)Temporary way : Execute below commandecho 0 > /selinux/enforce
or
setenforce 0